Other areas Flashcards
In regards to Scripting Security:
What are the client-side GlideUser (g_user) API methods available?
- hasRole()
- hasRoleExactly()
- hasRoleFromList()
- hasRoles()
The client-side API methods can be used in any client-side script, such as Client Scripts and UI Policy scripts. Client-side security is the easiest security to break. Do not depend on client-side scripts to secure sensitive data.
In regards to Scripting Security:
The server-side GlideSystem (gs) API has these methods
What must the server side methods check in addition to the method?
- getUser()
- getUserID()
- getUserName()
- hasRole()
- isLoggedIn()
- isInteractive()
- getSession()
The server-side GlideElement API has methods to check whether a user’s role allows them to access the associated GlideRecord(s):
- canCreate()
- canRead()
- canWrite()
In regards to Scripting Security:
What are the caveots to client side and server side API methods and what is the best approach for the highest level of security?
The client-side API methods can be used in any client-side script, such as Client Scripts and UI Policy scripts. Client-side security is the easiest security to break. Do not depend on client-side scripts to secure sensitive data.
The server-side methods can be used in any server-side script, such as Business Rules or Script Includes. Server-side scripted security is more secure than client-side scripted security. Any user with access to scripting fields can see the scripts and what the security checks are.
Neither client-side nor server-side scripts are part of the Debug Security Rules module. When security is scripted outside of Access Controls, it must be debugged independently of the Access Controls.
For the highest level of security, use Access Controls to protect sensitive data.
In regards to Scripting Security:
Which one of the following is used to control access to features and capabilities in applications and modules.
- Department
- Group
- Role
- Company
- Organization
The correct response is 3. Role. Roles are applied to Groups or Users to control access.
In regards to Scripting Security:
Which items can be configured with multiple roles to grant access? More than one response may be correct.
- Application
- Application Menu
- Module
- Table
- Business Rule
The correct responses are 2. Application Menu and 3. Module. Configure the Roles field for Application Menus and Modules to grant access to multiple roles.
Limit application access to a single role with the User role field in the Application Settings.
Table access is controlled with Access Controls. Access controls can grant access to multiple roles and operations on the table, but the table cannot be configured with roles directly.
Business Rules do not have any direct configuration of role access.
In regards to Scripting Security:
- Open the User menu and select the Impersonate user menu item. Select a user to impersonate.
- Open User Administration > Users, select a user, and click the Impersonate User related link.
- Open the User menu and select the Elevate Roles menu item. Select a user to impersonate.
- Open User Administration > Impersonate User and select a user to impersonate.
- Select a user to impersonate with the User Picker in the banner.
The correct response is 1. Open the User menu and select the Impersonate user menu item. Select a user to impersonate.
In regards to Scripting Security:
What role is required to create and edit Access Controls?
- admin
- elevated_admin
- security
- security_admin
- elevated_security
The correct response is 4. security_admin. admin alone is not sufficient to edit Access Controls. Users with the security_admin role need to use the Elevate role menu item in the User menu before creating and editing Access Controls.
In regards to Scripting Security:
Which type of record restricts access to table data and operations by requiring users to pass a set of requirements?
- ACL
- Role
- User Role
- Permission
- Access Control
The correct response is 5. Access Control. Many people say ACL when describing Access Controls. ACL is short for Access Control List, which is a collection of Access Control records that configure access to a table or field on a table.
In regards to Scripting Security:
True or False? Access Controls explicitly grant or deny access to a table.
ANSWER: The correct response is false. ServiceNow is default deny unless configured otherwise. Permission must be explicitly granted by Access Controls for a user to have access to records and record fields.
In regards to Scripting Security:
What are the three sections of an Access Control record that must evaluate to true to grant access to a resource?
- Condition
- Condition Script
- Script
- Advanced
- Requires Role
The correct responses are 1. Condition, 3. Script, and 5. Requires Role. Access Controls do not have a Condition Script section. The Advanced field makes the Script section visible.
In regards to Scripting Security:
The x_12345_lego_set table extends the alm_asset table. Which Access Control is evaluated first when determining whether to grant access to the serial_number field?
- x_12345_lego_set.serial_number
- x_12345_lego_set.*
- alm_asset.serial_number
- alm_asset.*
- *.serial_number
The correct response is 1. x_12345_lego_set.serial_number. The Access Control List is searched from the most specific to the most generic for a match.
In regards to Scripting Security:
Which of the following modules enables security rule debugging?
- System Diagnostics > Debugging > Debug Security Rules
- System Diagnostics > Session Debug > Debug Security Rules
- System Security > Session Debug > Debug Security Rules
- System Security > Debugging > Debug Security Rules
- Access Control > Debugging > Debug Security Rules
The correct response is 4. System Security > Debugging > Debug Security Rules.
In regards to Scripting Security:
Which of the following methods are server-side GlideSystem methods? More than one response may be correct.
- getUser()
- getUserID()
- hasRole()
- hasRoleExactly()
- isLoggedIn()
The correct responses are:
- getUser()
- getUserID()
- hasRole()
- isLoggedIn()
hasRole() is also the name of a client-side method.
Securing Applications against Unauthorized Users Module Recap
Core concepts:
- Scoped applications can be secured at the _____, _____ _____, and _____ levels
- _____ are a set of users with a common purpose
- Assign _____ and _____ to groups
- _____ and _____ records are not part of an application
- _____ _____ grant access to records and record fields
- Create
- Read
- Update
- Delete
- Debug Access Controls with the _____ _____ _____ module
- _____ users to test security
- _____ _____ roles are evaluated first, then _____, then _____
- _____, _____, and _____ must all return true for an Access Control to grant access
- Do not attempt to protect sensitive data with _____-_____ scripted security
- Scoped applications can be secured at the application, application menu, and module levels
- Groups are a set of users with a common purpose
- Assign roles and users to groups
- Groups and user records are not part of an application
- Access Controls grant access to records and record fields
- Create
- Read
- Update
- Delete
- Debug Access Controls with the Debug Security Rules module
- Impersonate users to test security
- Access Control roles are evaluated first, then conditions, then scripts
- Roles, conditions, and scripts must all return true for an Access Control to grant access
- Do not attempt to protect sensitive data with client-side scripted security
Before Query Business Rules - The *Other* Access Control
Description
Access Controls are a great tool to limit data visibility to those who need it. However, there are some drawbacks:
The dreaded ‘Number of rows removed from this list by Security constraints’ message. Many organizations don’t want their users to know they are being denied access, but this message makes it all too apparent.
In large lists of data, the ‘allowed’ records do not bubble to the top - they can be hidden pages down in the list where they are difficult for users to find.
In a script-based ACL, the script must run for each row returned - In some cases, this can cause significant performance degradation.
Before Query Business Rules can help!
Before Query Business Rules - The *Other* Access Control - Support and Troubleshooting (servicenow.com)
KB0523826